main/vaseboot
main
/
vaseboot
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Fail validation if we can't find shim and Secure Boot is enabled 

If grub is signed with a key that's in the trusted EFI keyring, an attacker
can point a boot entry at grub rather than at shim and grub will fail to
locate the shim verification protocol. This would then allow booting an
arbitrary kernel image. Fail validation if Secure Boot is enabled and we
can't find the shim protocol in order to prevent this.
This commit is contained in:
Matthew Garrett 2015-04-16 16:30:53 -07:00 committed by David Michael
parent 67475f53e0
commit f4d00290ed
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
grub-core/loader/i386/efi/linux.c
View File

@ -57,8 +57,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
shim_lock = grub_efi_locate_protocol(&guid, NULL);
if (!shim_lock)
return 1;
if (!shim_lock) {
if (grub_efi_secure_boot())
return 0;
else
return 1;
}
if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
return 1;